Multiple data store authentication

ABSTRACT

Systems and methods for authenticating access to multiple data stores substantially in real-time are disclosed. The system may include a server coupled to a network, a client device in communication with the server via the network and a plurality of data stores. The server may authenticate access to the data stores and forward information from those stores to the client device. An exemplary authentication method may include receipt of a request for access to data. Information concerning access to that data is stored and associated with an identifier assigned to a client device. If the identifier is found to correspond to the stored information during a future request for access to the store, access to that store is granted.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/899,947 filed Feb. 20, 2018, which is a continuation of U.S. patentapplication Ser. No. 15/362,236 filed Nov. 28, 2016, now U.S. Pat. No.9,912,671 issued Mar. 6, 2018, which is a continuation of U.S. patentapplication Ser. No. 15/155,061 filed May 15, 2016, now U.S. Pat. No.9,578,027 issued Feb. 21, 2017, which is a continuation of U.S. patentapplication Ser. No. 14/487,093 filed Sep. 16, 2014, now U.S. Pat. No.9,342,684 issued May 17, 2016, which is a continuation of U.S. patentapplication Ser. No. 13/614,583 filed Sep. 13, 2012, now U.S. Pat. No.8,839,412 issued Sep. 16, 2014, which is a continuation of U.S. patentapplication Ser. No. 11/640,629 filed Dec. 18, 2006, now U.S. Pat. No.8,438,633 issued May 7, 2013, which is a continuation-in-part of U.S.patent application Ser. No. 11/525,294 filed Sep. 21, 2006, now U.S.Pat. No. 8,064,583 issued Nov. 22, 2011, which is a continuation of U.S.patent application Ser. No. 11/112,690 filed Apr. 21, 2005, now U.S.Pat. No. 7,796,742 issued Sep. 14, 2010. The disclosure of each of theseapplications is incorporated herein by reference in their entirety.

BACKGROUND OF THE INVENTION 1. Field of the Invention

The present invention relates to authentication and access to data indata stores substantially in real-time, and to service activation,including simplified provisioning and multiple data storeauthentication.

2. Description of Related Art

Conventionally, a user purchasing services associated with a deviceneeds to register with a service provider to provide specificinformation about the user. The service provider often has a customerservice center that assists the user with registration for variousservices associated with the wireless device. For instance, the customerservice center can record personal information about the user in orderto provide wireless Internet services. The service provider typicallyrequires billing information from the user in order to identify the userand collect monies from the user for the services being provided.

When the user activates various services, the service provider mayprogram various databases with the user's personal information, as wellas information associated with the device the user is using to accessthe services. This process may be referred to as “provisioning.” Often,the user spends time on the phone with a representative of the serviceprovider in order to provide the information the service providerrequires in order to program the various databases. Alternatively, theuser may spend time on a device associated with the user in order toprovide the requisite information for the provisioning. In exchange forproviding the information to the service provider, the user obtainsaccess to certain resources made available by the service provider.

Other common-place factors in the mobile device world make repeatedauthentication experiences even more inconvenient. The need to accessmore than one account (e.g., personal and work e-mail), limited time toaccess an account (e.g., only a few minutes before a lengthy meeting),and the need to have access to new data in near real-time furtherevidence the difficulties encountered with repeated authentication.Notwithstanding, few users or enterprises are willing to surrender datasecurity (i.e., no user or device authentication wherein anyone couldconceivably access the account or data store given knowledge of theexistence of that account or data store) for the sake of convenience. Assuch, there is a need in the art for authenticating access to multipledata stores while maintaining certain security precautions offered byuser or device authentication.

Collecting the user's personal information and storing the informationin the databases is frequently done in order to maintain security andensure that each user pays for the resources being requested. However,users often resent the time it takes to register for access to theresources. Further, users may register many times with the same serviceprovider for different resources available via the service provider.Numerous minutes or hours spent entering information required by theservice provider may deter users from subscribing to the variousresources offered by the service provider. There is, therefore, a needfor a system and method for simplified provisioning.

SUMMARY OF THE INVENTION

An exemplary embodiment of the present invention provides a system forauthenticating access to multiple data stores. The exemplary embodimentmay include a server, which is coupled to a network. A client device maycommunicate with the server via the network. Various client devices maybe used in this embodiment including cellular telephones, personaldigital assistants, or a personal computer. The server may be configuredto authenticate access to a plurality of data stores coupled to theserver. The data stores may each include a connection managementapplication configured to inform the server of the presence of new dataor a change to existing data at the one or more data stores. The servermay be configured to authenticate access to the one or more data storesand forward the new data or changed existing data from the one or moredata stores to the mobile or client device. This forwarding of data mayoccur substantially in real-time. In one example, the data stores may beassociated with an electronic mail server provider.

A further embodiment of the system may also include a short messageservice (SMS) center. The SMS center may be configured to transmit anSMS message to the mobile device at the instruction of the server uponthe server having been informed of the presence of new data or a changeto existing data at the one or more data stores. The SMS messagetransmitted to the mobile device may cause the mobile device to initiatea synchronization operation whereby the server authenticates access tothe one or more data stores and forwards the new data or changedexisting data from the one or more data stores to the mobile device.

Yet another embodiment of the system includes an Internet Protocol (IP)connection manager configured to manage an IP connection between theserver and the mobile device. The IP connection may be used for and/orto initiate a synchronization operation whereby the server authenticatesaccess to the one or more data stores and forwards the new data or thechanged existing data from the one or more data stores to the mobiledevice.

In some instances, an SMS center may transmit an SMS message to themobile device at the instruction of the server upon the server beinginformed of the presence of new data or a change to existing data at theone or more data stores prior to the IP connection manager opening an IPconnection between the server and the mobile device. The SMS messagetransmitted to the mobile device may cause the mobile device to acceptthe IP connection being established by the IP connection manager andbetween the server and the mobile device, whereby the synchronizationoperation occurs asynchronously and in the background of other mobiledevice operations. By utilizing an SMS message to ‘wake up’ the mobiledevice and accept the IP connection, it may not be necessary to maintainan ongoing IP connection, which may drain battery resources or incurnetwork bandwidth charges in some mobile devices.

In some embodiments of the aforementioned system, the server may onlyauthenticate access to specific data stores of the one or more datastores. The specific data stores may be the one or more data storeshaving new data or changed existing data as indicated by the connectionmanagement application. Alternatively, the specific data stores may bethose manually identified by a user of the mobile device for aparticular synchronization operation. In yet another implementation, theserver may only authenticate access to those data stores identified by asynchronization profile for all synchronization operations, thesynchronization profile having been created by a user of the mobiledevice.

Authentication to the plurality of data stores may occur by utilizingdata provided to the server by the client device. Authentication mayalso occur by comparing the data provided to the server by the clientdevice with information at the plurality of data stores, which may havebeen provided by the client device during a previous authenticationencounter.

In some embodiments, the server may be further configured toauthenticate the client device prior to the server authenticating accessto the plurality of data stores. Authentication of the client devicemay, for example, include the user of information identifying the clientdevice or a token, which comprises a unique string of data.Alternatively, the server may be further configured to authenticate auser of the client prior to the server authenticating access to theplurality of data stores. Authentication may include use of a user nameor a user name in further combination with a password.

In another exemplary embodiment of the present invention, a computingdevice for authenticating access to multiple data stores is provided.The computing device may include a communications interface forexchanging information over a network; an identification module foridentifying a client device or user thereof based on informationprovided by the client device, the information may be provided by theclient device without intervention; and a registration module foraccessing multiple data stores and authenticating access to the multipledata stores by the client device or user thereof. The communicationsinterface may also receive information from the multiple data storesfollowing authentication and may further forward received information tothe client device. The communications interface may allow for the deviceto communicate with an SMS center or an IP connection manager in orderto inform a mobile device of the presence of new data or a change toexisting data at one or more of the multiple data stores and the need toinitiate a synchronization operation.

In some embodiments, a method for authenticating access to multiple datastores is provided, wherein an indication of the existence of new dataor a change to existing data at one or more of the multiple data storesis received. A mobile device is then informed of the existence of newdata or a change to existing data at one or more of the multiple datastores. A request from the mobile device for access to at least one ofthe one or more multiple data stores is received and the mobile deviceis queried. The query to the mobile device is for (at least) anidentifier associated with stored information for accessing the one ormore of the multiple data stores. The one or more of the multiple datastores are then accessed if the identifier received from the mobiledevice corresponds to the information associated with accessing the oneor more of the multiple data stores.

In a further embodiment, information at the one or more of the multipledata stores is forwarded to the mobile device. Forwarding of thisinformation may occur substantially in real-time. The forwardedinformation may be electronic mail. Data at the one or more of themultiple data stores may have been previously filtered and an indicationof the existence of new data or changed existing data at the data storemay be sent only when the filtered data corresponds to a particularconfiguration of the filter (e.g., desired data warranting thegeneration of an indication of new or changed existing data).

The mobile device may been informed of the existence of new data or achange to existing data at the one or more of the multiple data storesmay occur through the issuance of an SMS message trigger. The mobiledevice may also be informed through the issuance of an IP triggerfollowed by establishment of an IP connection. The IP connection may, insome embodiments, occur following the issuance of an SMS trigger. Uponthe mobile device being informed of the existence of the data via one ofthe aforementioned triggers (e.g., SMS, IP, or a combination of SMS andIP), a synchronization operation may commence.

The identification module of the computing device may identify theclient device based on a client identifier. The client identifier mayinclude a unique string of data (a token), which may have beenpreviously assigned to the client device by the identification module.The client identifier, in another embodiment, may include a telephonenumber or, alternatively, a user name associated with a user of thedevice.

The identification module, in some embodiments of the present invention,may compare the aforementioned client identifier with information at oneor more of the multiple data stores. The information at the multipledata stores may include information provided by the client device duringa previous authentication operation. The registration module may alsoquery the user of the client device for information required foraccessing the multiple data stores if that information is not currentlypresent.

An exemplary embodiment of the present invention provides a method forauthenticating access to multiple data stores. In the exemplary method,a request is received from a client device to access a data store.Information associated with accessing the data store is stored and anidentifier is assigned to the client device, that identifier beingassociated with the stored information. When a subsequent request foraccess to the data store is received, a query is made with respect tothe identifier and if the identifier corresponds to the storedinformation for accessing the aforementioned data store, the data storeis accessed.

In another embodiment of the aforementioned method, a client device mayrequest access to a second data store. Information associated withaccessing the second data store may be stored and further associatedwith the identifier initially associated with information concerning theaccess of the first data store. Upon receipt of a subsequent request foraccess to the second data store, if the assigned identifier correspondsto the information associated with accessing the second data store,access is granted to that data store. The information accessed at thefirst and second data store may be forwarded to the client device. Thatinformation may be electronic mail.

In yet another exemplary method for authenticating access to multipledata stores, a client device request for access to a data store isreceived. The client device may then be queried for an identifierassociated with stored information for accessing the data store. If theassigned identifier corresponds to the information associated withaccessing the data store, then the store may be accessed. The method mayfurther include the steps of accessing a further data store if theassigned identifier corresponds to information associated with accessingthe further data store. The information at the data stores may then beforwarded to the client device. The information may be electronic-mail.

An embodiment of the present invention provides for a computer-readablemedium having embodied thereon a program executable by a processor toperform a method for authenticating access to multiple data stores. Themethod may include receiving a client device request for access to adata store; storing information associated with accessing the datastore; assigning an identifier to the client device, wherein theidentifier is associated with the stored information for accessing thedata store; receiving a subsequent request for access to the data store;querying the client device for the assigned identifier; and accessingthe data store if the assigned identifier corresponds to the informationassociated with accessing the data store.

The computer-readable medium may further include a program executable toreceive a client device request for access to a second data store; storeinformation associated with accessing the second data store; associatethe stored information for accessing the second data store with thepreviously assigned identifier; receive a subsequent request for accessto the second data store; and access the second data store if theassigned identifier corresponds to the information associated withaccessing the second data store.

In yet another embodiment of the present invention, a computer-readablemedium is provided for authenticating access to multiple data stores.The method may include receiving a client device request for access to adata store; querying the client device for an identifier associated withstored information for accessing the data store; accessing the datastore if the assigned identifier corresponds to the informationassociated with accessing the data store; and accessing a second datastore if the assigned identifier corresponds to information associatedwith accessing the second data store. The computer-readable medium mayfurther include program instructions for forwarding information at thedata stores to the client device, wherein the forwarded information iselectronic mail.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an exemplary environment for providing simplifiedprovisioning in accordance with one embodiment of the present invention.

FIG. 2 illustrates a schematic diagram of an exemplary provisioningmodule in accordance with one embodiment of the present invention.

FIG. 3 shows a flow diagram of an exemplary process for providingsimplified provisioning in accordance with one embodiment.

FIG. 4 shows an exemplary process for providing simplified provisioningin accordance with one embodiment.

FIG. 5 illustrates an exemplary system for providing delivery ofelectronic-mail or other data in or substantially in real-time inaccordance with an embodiment of the present invention.

FIG. 6 illustrates an exemplary method for accessing information at adata store in or substantially in real-time in accordance with anembodiment of the present invention.

DETAILED DESCRIPTION

FIG. 1 illustrates an exemplary environment 100 for providing simplifiedprovisioning, including authentication of data store access, inaccordance with one embodiment of the present invention. A client 110communicates with a server 130 via a network 120. The client 110 mayinclude any type of device, such as a cellular telephone, a personaldigital assistant (PDA), a personal computer, etc. In some instances,client 110 may be a data-enabled device that can, for example, send andreceive electronic-mail, receive and send short message service (SMS)messages, access the Internet and so forth.

Any type of provisioning, which may include various forms ofauthentication, may be provided according to various embodiments of thepresent invention. For instance, the provisioning may include an eventregistering a user in response to a user request for services, acommunication to the user offering services, a communication to the userincluding activation data, a communication to the user with a uniformresource locator (URL) where the user can obtain additional informationregarding services, and so on (generally referred to as a “provisioningevent”). Any type of provisioning event is within the scope of variousembodiments of the present invention.

Similarly, any type of services provided by a service provider managingthe provisioning events is possible. For instance, the service providermay provide internet services, application services, wireless services,and so on. A common example of such a service includes electronic-mailaccess, which may be provided through an Internet electronic-mailaccount or through a server/data store as may be found, for example, ina commercial enterprise. The offering of electronic-mail services mayalso include an offering by a network provider or certain domain hostingcompanies that offer electronic-mail hosting as a value add to domainname hosting services.

A provisioning module 140 may be coupled to the server 130 for providingprovisioning event related services, which may include various forms ofauthentication. In one embodiment, the provisioning module 140 isincluded as a component of the server 130. In some instances, theprovisioning module 140 may be integrated and/or accessible to thestorage medium 150, which may sometimes be interchangeably referred toas a data store 150. In another embodiment, the provisioning module 140provides provisioning event related processing for various servers. Instill another embodiment, the provisioning module 140 may provideprovisioning event related processing for various storage mediums 150.

The server 130 may include or otherwise have access to one or morestorage mediums 150. Any type of storage medium 150 may be employedaccording to various embodiments of the present invention. In FIG. 1,the server 130 is coupled to the storage medium(s) 150 for storing andaccessing information included in the storage medium(s) 150. Thiscoupling may be direct (e.g., via software/hardware integration or maybe a communicative coupling that may occur over a network). Storagemedium(s) 150 may include internal mail servers at an enterprise or thatmay be offered by any variety of service providers. Storage medium(s)150 may also include databases for storage of contact and PersonalInformation Management (PIM) data as well as calendar, notes, and taskdata. Storage medium(s) 150 may also include data stores for documents(e.g., file servers).

In an exemplary embodiment, the client 110 contacts the server 130 viathe network 120 in order to request and/or access services provided by aservice provider associated with the server 130. For example, a user atthe client 110 may wish to subscribe to email services available by theservice provider. The server 130 requests information about the user atthe client 110 or about the client 110 itself before allowing the userto access services (i.e., authenticating access to the services and/ordata). This information may include user ID and/or password informationas well as data identifying the client device 110 such as phone number,static Internet Protocol (IP) address, dynamically assigned IP address,Electronic Serial Number (ESN), Mobile Identification Number (MIN),and/or International Mobile Equipment Identity (IMEI) data. In order toverify that the client 110 or its proxy is genuine, the server 130 mayaccess the storage medium(s) 150 to match data provided by the client110 with information the server 130 stored in the storage medium(s) 150as a result of prior encounters with the client 110. In someembodiments, such information may be stored locally at the server 130and the server 130 (as a proxy of client 110) authenticates the client110 and then accesses the storage mediums 150. Access of the server 130to the storage mediums 150 may require an additional authenticationprocess. For example, if the storage mediums 150 are not integrated withthe server 130 (e.g., server 130 and storage mediums 150 are overseen byseparate parties), which may be similar to the authentication of theclient 110.

Information may be provided automatically by the client 110 in responseto a server 130 request or may be part of a manual query responsewhereby the user provides certain information. Some information may bededicated to an automated response whereas other information may alwaysrequire a manual response. Some types of requested information may besubject to automatic and manual response as may be determined, forexample, by a client 110 device configuration or user setting.

In some instances, a client 110 or server 130 based application may beimplemented with respect to matching certain information to a particularformat. In the instance of a telephone number, an automated response toa request by server 130 may include an area code, local prefix, andnumber (10 total digits). The necessary information may, in someembodiments, be identified as a part of the request. A user, however,may manually provide additional information not required for processingthe response (e.g., a country code). The application may, in theseinstances, derive the necessary information or filter out unnecessaryinformation in order to arrive at an information format appropriate forthe particular operation (e.g., processing only the last ten digits ofthe numerical string provided by the user).

Any manner of collecting information associated with the user and/or theclient/device 110 associated with the user may be employed. The server130 may collect the information from previous encounters with theclient/device 110, from other service providers associated with the userand/or the client/device 110, and/or from any sources providinginformation about the user and/or the client/device 110.

The server 130 utilizes the provisioning module 140 to provide specifiedservices and configurations for those services to the user at the client110. The provisioning module 140 may verify information associated withthe client 110 in one embodiment (e.g., authentication). Theprovisioning module 140 may have access to the storage medium(s) 150 viathe server 130 or via a direct connection to the storage medium(s) 150.

FIG. 2 illustrates a schematic diagram of an exemplary provisioningmodule 140 in accordance with one embodiment of the present invention.The provisioning module 140 may provide users with accounts, theappropriate access to those accounts, all the rights associated withthose accounts (sometimes collectively referred to as authentication),all of the resources necessary to manage the accounts, and so forth.Provisioning may be utilized to refer to service activation and may alsoinvolve programming various databases, such as the storage medium(s)150, with the user's information, as discussed herein. Although theserver 130 may be identified as performing various functions, any of thefunctions may be performed by the provisioning module 140 and/orcomponents thereof.

The provisioning module 140 may include an identification component 210.The identification component 210 may perform various tasks related toidentifying the client 110 and/or the user associated with the client110. The identification component 210 may assign an identifier to theclient 110 and/or information associated with the user at the client 110when the client 110 is connected to the server 130. The identificationcomponent 210 may store the information in the storage medium(s) 150according to the identifier the identification component 210 associateswith the information.

In one embodiment, the identification component 210 assigns a uniqueidentifier, such as a number string (e.g., a token or a cookie), to theclient 110 and stores the information associated with the client 110according to the unique identifier. The identification component 210 maythen forward the unique identifier to the client 110 as a communication,or part of a communication, so that the client 110 can provide theunique identifier when the client 110 connects to the server 130 onanother occasion. The unique identifier may be provided as a matter ofcourse by the client 110 in future connections with the server 130 orthe server 130 may request the identifier from the client 110 as part ofnegotiating a connection between the two devices.

In another embodiment, a phone number associated with the client 110 isutilized by the identification component 210 to store informationassociated with the client 110. Accordingly, when the client 110 makesfurther contact with the server 130, the phone number may be used toaccess the information stored according to the phone number. The usermay provide the phone number associated with the client 110 and/or theclient 110 may provide the phone number to the server 130 when initialaccess to the server 130 is gained by the client 110.

The identification component 210 may also compare information providedby the user of the client 110 with information stored in the storagemedium(s) 150 related to the client 110. The comparison may be performedin order to verify that the user of the client 110 is the same user ofthe client 110 about which the server 130 captured information during aprevious encounter. The comparison may also be performed to ensure thatthe client 110 information in the storage medium(s) 150 is accurate.

For instance, if the phone number is utilized as the identifier and thephone number provided by the user at the client 110 in response to aquery is different from the phone number in the storage medium(s) 150,the user may have entered the phone number incorrectly, the originalinformation gathered at the server 130 may have been enteredincorrectly, and so on. The information from the storage medium(s) 150and the client 110 may be compared for any reason. As discussed herein,the server 130 may collect the information associated with the userand/or the client 110 during previous encounters with the client 110and/or from any other sources.

A registration component 220 may also be included with the provisioningmodule 140. The registration component 220 can utilize information fromthe storage medium(s) 150 to “pre-fill” or to otherwise fill ininformation associated with, a registration for the user associated withthe client 110. The server 130 captures information about the user whenthe client 110 accesses the server 130 initially and/or from any othersource, as discussed herein.

For example, when the client 110 logs onto the server 130 to checkemail, the server 130 may capture the phone number of the client 110,the username of the user associated with the client 110, or any otherinformation associated with the client 110. The information is stored inthe storage medium(s) 150 according to a unique identifier assigned bythe identification component 210, according to the phone numberassociated with the client 110, or according to any other method. Whenthe client 110 logs onto the server 130 again in order to requestinstant messaging services, for example, the registration component 220accesses the information in the storage medium(s) 150 in order tocomplete a registration for the user at the client 110 requesting theservices.

The registration component 220 can then query the user for anyinformation needed for registration that is not included in theinformation in the storage medium(s) 150. In one embodiment, informationassociated with the user and the client 110 is collected by the server130 from other sources, rather than from a previous encounter the client110 had with the server 130, as discussed herein. For instance, anotherservice provider may forward information associated with the client 110,the server 130 may access information about the client 110 on availabledatabases utilizing the phone number or other information about theclient 110, and so forth. Any manner of gathering information about theclient 110 to pre-fill the registration for services is within the scopeof various embodiments of the present invention.

The registration component 220 can register the user at the client 110for any services offered by the service provider associated with theserver 130, or otherwise. In one embodiment, the registration component220 can pre-fill information related to services being requested by theuser other than identification information. For instance, the server 130may store information related to user preferences in the storagemedium(s) 150. When the user requests services, the registrationcomponent 220 may utilize the user preferences information to pre-fillfeature selections associated with the requested services. For example,the registration component 220 may pre-select calendar features for theuser according to user preferences captured by the server 130 about useractivity related to other services, whether those services are offeredby the service provider or not.

The registration component 220 may also be used for generating profilessuch as a synchronization profile. Through a synchronization profile,the server 130 may only authenticate itself with those storage mediums150 that are identified in the profile. For example, if a user has anumber of data stores (e.g., storage mediums 150) to access, the profilemay indicate that only certain stores are to be accessed based on anyvariety of factors. Access to particular stores may be temporal (e.g.,only access every two hours). Access may be conditional (e.g., onlyaccess when a particular event has occurred at the store such as thearrival of new data or a change to existing data or a particular type ofnew data or change to existing data). Access may also be manual suchthat a user manually indicates (via client 110) the data stores that areto be accessed during a synchronization operation. Indication may be amanual input or a response to a query (e.g., ‘which stores do you wishto access?’). Different profiles amongst a group of profiles may beimplemented subject to particular settings by the user at any giventime.

A billing component 230 may be included with the provisioning module140. The billing component 230 can track user activity of the servicesprovided by the service provider. Accordingly, the billing component 230can determine when to bill the user for the services being provided. Theregistration component 220 can provide user information to the billingcomponent 230 that may be needed regarding where to bill the user, suchas an email address, for instance.

An application generator 240 may be included with the provisioningmodule 140 for configuring the application and/or services requested bythe user for the device 110 associated with the user. The applicationgenerator 240 can also create the application for the user including anyfeatures the user desires. Any type of application generator 240 may beprovided.

In one embodiment, the application generator 240 may utilizeprovisioning templates to create the profiles for configuring variousdevices, such as the client 110 (FIG. 1) associated with the user. Forinstance, the templates may provide the parameters for creating aparticular application. The user can also specify customizations to theapplication, which can be used to modify the template for theapplication by the application generator 240. In other words, theprovisioning templates can provide parameters for configuring variousdevices for the services as well as customizing the actual servicefeatures. The application generation 240 may be utilized in the contextof various synchronization profiles, as mentioned above.

A communications interface 250 may also be provided with theprovisioning module 140. The communications interface 250 receivescommunications from the user and/or the server 130 and processes theinput utilizing the components discussed herein. Any variety ofcommunications interfaces 250 for a variety of communication mediums andprotocols in addition to any number of interfaces may be implemented. Assuch, a communication interface 250 may be a software application (e.g.,a driver) coupled to a hardware device (e.g., Universal Serial Bus(USB), serial, Ethernet, and so forth).

Although the provisioning module 140 is described as including variouscomponents, the provisioning module 140 may include more components orfewer components than those listed and still fall within the scope of anembodiment of the invention. For example, the provisioning module 140may also include business rules for building the applications, acustomer service component for managing applications and errors, aprotocol configuration component for managing a variety of protocolsassociated with various devices, and so forth.

FIG. 3 shows a flow diagram of an exemplary process 300 for providingsimplified provisioning in accordance with one embodiment. At step 310,information associated with a user during a non-provisioning event isstored. As discussed herein, the information may be stored in thestorage medium(s) 150. The server 130 collects information about theuser and the client 110 associated with the user when contact is madewith the server 130 at a time when provisioning is not occurring. In oneembodiment, as discussed herein, the server may collect informationrelated to the user and the client 110 from another source, rather thanfrom the client 110, which also may constitute a non-provisioning event.

In one embodiment, the information related to the user and the client110 may be collected during one or more previous provisioning events.For instance, the server 130 may store information associated with theuser and the client 110 during previous provisioning events in order toavoid or limit querying the user for the same information during futureprovisioning events.

The information may be stored according to a phone number associatedwith the device 110 and/or according to a unique identifier assigned tothe device 110. For example, the server 130 may assign a uniqueidentifier to the information collected from the device 110 when thedevice 110 is connected to the server 130. In order to associate theunique identifier to the device 110 for recognition during futurecontact with the server 130, a text message, for example, can be sent tothe device 110 with the unique identifier. The unique identifier maythen be sent back to the server 130 to identify the device 110 if thephone number, for example, cannot be accessed by the server 130. Asdiscussed herein, in one embodiment, the server 130 receives informationabout the user and/or the client 110 from a third party source andstores the information according to the phone number and/or a uniqueidentifier.

At step 320, the information is utilized to pre-fill a registrationrelated to a provisioning event. The information collected by the server130 from the client 110 during a previous contact with the server 130and/or from another source (e.g., phone network) is utilized to completeas much of a registration as possible without user input. Accordingly,the user at the client 110 is not required to provide information thatthe server 130 can access itself.

At step 330, one or more communications are forwarded to the user. Theone or more communications are based on the information stored andrequest information to complete the registration for the provisioningevent. In one embodiment, the information requested to complete theregistration includes a user query to verify that the information usedto complete the registration is correct. The information requested mayinclude a user query to provide a password to complete the registrationprocess, in another embodiment.

By using the information collected by the server 130 during anon-provisioning event that occurred prior to a current provisioningevent to complete a registration, or a portion of the registration, theuser at the client 110 can provide less information than required if noinformation about the user was accessible or utilized to pre-fill theregistration. Accordingly, the user at the client 110 is provided withsimplified provisioning, which may also be applied to futureauthentication operations such as synchronization of data between theclient 110 and storage medium 150.

Turning now to FIG. 4, an exemplary process 400 for providing simplifiedprovisioning in accordance with one embodiment is shown. At step 410,information associated with a user is stored. As discussed herein, theinformation may be stored by the server 130 and/or to one or morestorage mediums, such as the storage medium(s) 150 discussed in FIG. 1.

An identifier is assigned to the information at step 420. The identifiermay be assigned to the information in order to locate the information inthe storage medium(s) 150, in order to compare the information withother information provided by the user during future contacts with theserver 130, and so on. The identifier may be assigned to the informationfor any reason. As discussed herein, the identifier may be a phonenumber associated with a device of the user, such as the device 110discussed in FIG. 1, a unique identifier assigned by the identificationcomponent 210 of the provisioning module 140 associated with the server130, and/or any other type of identifier.

At step 430, the user is queried for identification during aprovisioning event (e.g., a subsequent authentication operation as mightprecede a synchronization operation). The identification sought from theuser may be confirmation of the identifier used to store the informationat step 420, such as the phone number and/or the unique identifier. Theidentification sought, however, may be any type of information from theuser. For example, a “username” may be sought in order to match theusername associated with the user with the username stored in thestorage medium(s) 150.

At step 440, the information is accessed in order to match theidentification from the user with the identifier associated with theinformation in response to receiving the identification from the user.The provisioning module 140 accesses the information in the storagemedium(s) 150, directly or via the server 130, associated with the userand compares that information with the identification received from theuser in response to the query.

By locating the information in the storage medium(s) 150 that waspreviously collected, the information can be utilized to register theuser during the provisioning event at step 450. The information cancomplete the registration or a portion of the registration associatedwith the services for which the provisioning event is taking place. Bycompleting the registration or a portion of the registration withinformation existing about the user and the user device, such as thedevice 110 discussed in FIG. 1, the user is only required to providedata for the registration not included in the information from thestorage medium(s) 150. Thus, the user experiences a streamlinedprovisioning process that is equally applicable to and inclusive of anauthentication operation.

In one embodiment, as discussed herein, the information is utilized tocomplete the registration and the user is queried to verify that theinformation utilized is correct. In another embodiment, the user isqueried to verify the accuracy of the information utilized according toa length of time between the provisioning event and when the informationwas collected. For instance, if the information was collected by theserver 130 less than one month prior to the provisioning event, theserver 130 may not seek verification from the user that the informationis still accurate.

At step 460, the user is queried for a password in order to complete theprovisioning event. The password may help to ensure that an intendeduser receives services. For instance, the server 130 may forward thecommunication regarding services to a user that did not request theservices or requested the services using another user's information.Provisioning related information may erroneously reach users for avariety of reasons. The user is queried for the password in order toverify that the user matches the intended user. For instance, if theprovisioning information is sent to a “user b” rather than the intended“user a,” “user b” will likely not know the “user a” password andresultantly will not be able to receive the services intended to go tothe “user a.” In some instances (as discussed below), the password maynot be required in that the client 110 has otherwise been authenticatedas valid by server 130 or some other device tasked with authenticatingthe client 110.

The provisioning event is completed in response to receiving thepassword at step 470. The password is compared with a password in thestorage medium(s) 150. Provided the password matches the password knownfor the particular user, the provisioning event may be completed. In oneembodiment, the server 130 accesses another database with user passwordinformation in order to confirm that the password provided is correct.Any method of verifying the password may be employed.

As discussed herein, the information from the storage medium(s) 150 maybe sufficient for completing the registration for the service provider.However, the service provider may require additional information tocomplete the registration. For instance, the information about the userand/or the client 110 associated with the user the server 130 originallycaptured may not provide enough information about the user and/or theclient 110 required for the registration for the services associatedwith the provisioning event. Accordingly, more information may becollected from the user. As part of the simplified provisioning processdescribed in FIG. 4, or any other exemplary provisioning process, theuser may be queried for additional information to complete theregistration.

In one embodiment, the server 130 stores information associated with theuser during the client 110 connection with the server sometime prior tothe provisioning event. Using the provisioning templates, discussed inFIG. 2 in connection with the application generator 240, the server 130may collect other information about the user from third party databasesin order to complete registration for provisioning for many of theservice provider's services based on the provisioning templates. Anytype of method for gathering information about the user and/or thedevice 110 associated with the user for simplifying provisioning iswithin the scope of various embodiments.

FIG. 5 illustrates an exemplary system 500 for providing delivery ofelectronic-mail or other data in, or substantially in, real-time inaccordance with various embodiments of the present invention. Deliveryof electronic-mail and/or other data from a data store 510 may occur in,or substantially in, real-time to allow for increased synchronicitybetween a mobile device 540 and the data store 510. References toreal-time or substantially in real-time may generally be construed tomean ‘as quickly as possible.’ For example, if new data arrives at thedata store 510, the present system may undertake certain efforts tosynchronize that with a mobile device 540 as quickly as possible.

By further example, some systems may only attempt to synchronize data ona temporal schedule (e.g., every 15 minutes). Such systems are, in fact,out-of-synch between mobile device and data store in that asynchronization operation may take place and then new data arrivesimmediately following the conclusion of that operation. Thus the deviceand data store are out-of-synch for as long as 15 minutes (in thepresent example). By implementing real-time or substantially in-realtime data synchronization, upon arrival of new data or a change toexisting data at the data store 510, various components of the presentsystem will undertake certain operations to bring the data store 510into synchronization (at least with respect to desired data) with themobile device 540 as quickly as possible.

The occurrence of network failures, loss of service, and other nuancesof data communication that may delay or even prevent the synchronizationof data should not be construed as causing the system to be anon-real-time data delivery system as the system may still undertakeefforts to synchronize as quickly as possible. Notwithstanding, thevarious embodiments of the present invention should not be exclusivelylimited to a real-time or substantially in real-time delivery system.Such a limitation should be applied solely as governed by the particularlimitations (if any) of the particular claim language as set forthbelow.

Access to the data store 510 may be authenticated via a provisioningmodule (140) like that described in the context of FIG. 2 and thevarious methodologies disclosed herein. The provisioning/authenticationmodule may be present at the data store 510, integrated with anotherapplication at the data store 510 such as connection application 520(described below), and/or present at an intermediate computing devicesuch as relay server 530.

Data store 510 may, in some embodiments of the present invention, be amail server that receives electronic-mail data (e.g., e-mail messages)for a particular enterprise or service provider. Data store 510 may beassociated with a particular enterprise such as an office environmentbut could also be an electronic-mail service provider/service such asGoogle (gMail), Yahoo! (Yahoo! Mail), or Microsoft (MSN Hotmail). Datastore 510 should not be construed as being limited solely toelectronic-mail and may include various other data (e.g., calendar,contacts and other PIM data, and documents) as well as other serviceslike those discussed in the context of FIG. 1. While only one data store510 is illustrated in FIG. 5, the single depicted data store 510 may berepresentative of one or more data stores 510 implemented in the presentinvention.

In those embodiments of the present invention wherein data store 510concerns electronic-mail, the data store 510 (e-mail account) mayutilize an IMAP4 or POP3 protocol. IMAP (Internet Message AccessProtocol) allows for access of electronic-mail messages that are kept ona mail server via a client e-mail or other proxy application as if themessages were locally stored. For example, electronic mail stored at adata store 510 utilizing IMAP may be manipulated without the need totransfer the messages or files back and forth between remote computingdevices. IMAP may be suited for use in a connected and disconnected mailsession as messages remain on the mail server until expressly deleted bythe user.

The Post Office Protocol (POP), however, may be best suited for a singlecomputing device due to POP support for ‘offline’ messaging wherebymessages are downloaded and then deleted from the mail server. As such,users retrieve messages and then view and manipulate those messageswithout necessarily being connected to the mail server. POP could beused amongst a plurality of computing devices if, for example, theyshared a common file system. Alternatively, a user could (via anelectronic mail client or proxy) elect to leave all messages on theserver. Notwithstanding, either protocol may be used in variousembodiments of the present invention.

Some embodiments of the present invention may further require a softwareapplication to be executed at a host computer such as a connectionmanagement application 520. This connection management application 520may be executed in the background of a computing environment without theneed for user intervention. For example, on a Windows based-PC, theWindows Services Manager may administer such an application such thatthe application runs independent of any user control (other thanpossible administrative tools for configuration). This application 520may launch automatically with the host computer and may facilitatedelivery of electronic mail or other data to a mobile deviceautomatically. The connection management application 520, as a result ofan installation operation or through user configuration (for example,through the aforementioned administrative tool), may read the name of amail server and the IP address of the host computer from the hostcomputer registry whereby the connection application 520 may identifythe arrival of new electronic-mail at data store 510 or changes topresently existing data (e.g., a change in a calendar appointment or thecreation of a new appointment in a calendar application) and properlyinform relay server 530 of the arrival of/change to the same such that asynchronization operation may commence with any requisite authenticationoperations.

Connection management application 520 may also be used for manipulatingdata such as task lists, memo lists, the aforementioned calendar data,and contacts. Connection management application 520 may also allow forinteraction with data from other devices and/or software platforms.Connection management application 520 may also enable a user tointroduce new software application to a mobile device 540 via anover-the-air update operation or through, for example, a synchronizationcable. Connection management application 520 may also allow for back-up,filtering, and/or deletion of data.

In some embodiments of the present invention, the aforementionedsynchronization operation may be a manual operation that is initiated bya user. The user may enter a command on their mobile device 540 tocommence synchronization with the relay server 540 and/or data store 510and new mail or other data (both new and changed data) is provided tothe user's mobile device 540. In such an embodiment, the connectionapplication 520 may not be necessary as the client device 540 and/orrelay server 530 accesses the data store 510 utilizing the variousprovisioning/authentication operations discussed herein without regardfor whether new or changed data actually exists at the data store 510.The connection application 520 may be useful, however, with respect toinforming a relay server 530 of the actual existence of new and/orchange data. The relay server 530 may then inform the user's mobiledevice 540 of the existence of that data through, for example, an SMSand/or IP exchange as discussed herein. In such an embodiment, the usermay still (via manual synchronization) make a decision of when toinstitute the synchronization operation upon receipt of some indicia ofthe existence of new and/or changed data.

The relay server 530 may be implemented in any variety of computingdevices as are generally known in the art. In some embodiments, therelay server 530 may operate as a central node for delivery ofelectronic-mail or other data. The relay server 530, too, may controluser/device validity (e.g., authentication and provisioning) and mayalso be used as a point of presence for a web-based interface. In someembodiments, the relay server 530 may be horizontally scalable.Horizontal scalability may be achieved, for example, by introducing newhardware instances to the system. The relay server 530 may also beredundant such that the failure of any single component will not resultin system downtime. Redundancy may allow for the introduction ofupgrades and additional scaling servers without resulting in systemdowntime.

In some embodiments, the relay server 530 may be informed by connectionmanagement application 520 of the existence of new and/or changed dataat the data store 510. The relay server 530, depending upon theparticular implementation of the system, may authenticate access to thedata store 510 and subsequently forward the data to the mobile device540 (e.g., through a push operation). In other embodiments, the relayserver 530 (upon indication by the connection management application 520that new and/or altered data is present at data store 510) may providean instruction to an SMS service center 550 to ‘wake up’ the mobiledevice 540 via an SMS message such that a synchronization operation maytake place or is at least desirable in light of the new and/or changeddata.

In still further embodiments, the relay server 530 may operate inconjunction with an IP connection manager 560 to institute an IPconnection for synchronization of data. Through use of the IPconnection, synchronization may occur asynchronously and in thebackground of other mobile device operations. A constantly open IPconnection may, however, drain battery resources at the mobile device540 and/or incur various bandwidth usage charges. As such, and in yet anadditional embodiment, an SMS message may cause the device 540 to ‘wakeup,’ which may then allow for the opening of an IP connection via the IPconnection manager 560 in a ‘hybrid’ implementation. In this manner, theIP connection is opened and/or maintained only when new data and/orchanged data is present at the data store 510.

The Short Message Service (SMS), as noted above, may be utilized toinform the mobile device 540 of the arrival of new mail (or other new orchanged data) at data store 510. SMS allows text messages of up to 160characters (or 224 in a 5-bit mode) over a Global System for Mobile(GSM) communication network. The text-message characters are sent,received, and may even be generated (for example, with a user interface)via a SMS-gateway, which may be accessed directly as SMS center 550 orvia a web-based interface in conjunction with relay server 530.

The SMS-message may be generated as the result of connection managementapplication 520 reflecting the arrival of new and/or changed data at thedata store 510, this arrival being communicated to relay server 530,which in turn causes a message to be generated and delivered from theSMS center 550. SMS alerts may be utilized not only for electronic-mailarrivals at the data store 510 but also for generation of new calendaralerts or subject to various filtering mechanisms. For example, filtersmay be applied to identify messages or other data arriving from specificcontacts, messages of a certain priority, and meeting requests scheduledfor certain days and/or various hours and/or days of the week. In someembodiments, the SMS trigger may be encrypted. In any case, the receiptof the SMS-message may automatically initiate a synchronizationoperation wherein various authentication activities as discussed hereinmay be necessary. The SMS-message, in some embodiments, may simplyinform the user of the mobile device 540 that synchronization isdesirable in light of the presence of new and/or changed data at thedata store 510.

In some embodiments of the present invention, IP-based triggers may beutilized. As noted above, IP-based asynchronous synchronization mayallow for background arrival of messages such that the user is notinterrupted by such an operation. A further benefit of IP-basedtriggering is that it may be carrier agnostic. An IP connection manager560 may be implemented to keep track of active connections and/or forsending IP triggers when appropriate. The relay server 530 may shut downconnections or define sync schedules while the client device 540 mayhave the ability to maintain a connection to the connection manager 560.When an IP trigger is received, the client 540 may connect and perform asynchronization operation with data store 510 via relay server 530.

An incoming e-mail message at data store 510 may activate thenotification framework, for example, via connection managementapplication 520. A notification generator at relay server 530 will causean instruction to be delivered to the SMS center 550 for purpose ofgenerating an SMS message to be forwarded to the mobile client or,alternatively, the notification generator at the relay server 530 maycause the IP Connection Manager 560 to open a connection with the mobileclient through an IP trigger. In the SMS+IP trigger hybridconfiguration, the SMS message may ‘wake up’ the device while an IPconnection may be used for synchronization. The client 540 and server530 may then negotiate the signaling mechanism based on clientcapabilities and available options.

In the IP- and hybrid-trigger configurations, various values may be setby the server and may be updated including a keep alive frequency thatmay determine how often the client 540 ‘pings’ the connection manager560, the time to maintain connection, and/or the amount of time theclient 540 should maintain the connection when it is idle (e.g., notriggers are received from the server 530. For example, in thehybrid-trigger configuration, the client 540 may maintain an IPconnection for 30 minutes and if no email arrives in the time period,the connection may be terminated. When new email does arrive, the server530 may send an SMS to wake up the client device 540.

In some embodiments of the present invention, connection manager 560,SMS center 550 and relay server 530 may be integrated as part of asingle computing device or in the sense that the devices may not bephysically remote from one another (e.g., the devices may be independentcomputing devices but located in a single communications facility). Thevarious devices, however, may also be physically remote depending on theparticular configuration of a communications service provider. Forexample, in one example, the messaging bridge that communicativelycouples data store 510 and client device 540 may be hosted by, forexample, a cellular service provider.

While real-time or near-real-time delivery of content may be achievedutilizing the various triggering mechanisms, synchronization may alsooccur periodically (e.g., every n minutes). Synchronization may also bemanually initiated through any variety of mechanisms includinguser-initiated over-the-air or via a physical coupling as may occurthrough, for example, a synchronization cable.

In addition to authentication authorization to access certain datastores 510, the information used in such authentication operations orstored for the purpose of such authentication operations may beencrypted. Authentication operations may utilize end-to-end 128-bit AESand Diffie-Hellman secret-key negotiations. Further, embodiments of thesystem may avoid the use of store-and-forward solutions such that datais never stored or written to disk before or after transmission of data(accessed and/or authentication related). Data may be encrypted prior tobeing transmitted to the mobile device 540. In such an embodiment, whendata arrives in the operator network, it is still encrypted and only themobile device 540 has the unique AES key required to decrypt the data.

In some embodiments, the system may utilize a data-obliterationoperation. For example, if a mobile device 540 is lost or stolen, a usermay initiate a data-obliterate command via a computing device coupled tothe connection management application 520 or the relay server 530 suchthat all data on the device 540 is removed (such as authentication andprovisioning data). The user may also lock-down the device and preventit from future use. As such, certain embodiments of the presentinvention may require the installation of client software at a mobiledevice 540 in order to receive and process certain communications fromthe host computer application.

FIG. 6 illustrates an exemplary method 600 for accessing information ata data store in or substantially in real-time in accordance with anembodiment of the present invention. In step 610, new data arrives atthe data store (e.g., data store 510 of FIG. 5). New data may beelectronic-mail, calendar data (e.g., meeting invitations, acceptance ofmeeting invites), electronic documents (e.g., Microsoft Word, MicrosoftExcel, Microsoft PowerPoint®, Adobe® PDF, Corel® WordPerfect®, HTML andASCII), and so forth. Data may also be changed in step 610. For example,the time or place for a meeting may be rescheduled.

In optional step 620, a filter may be applied by, for example,connection application 520. The filter may concern particular senders ofan electronic-mail message, message priority, subject of a message (asmay be determined from a subject line of textual analysis of themessage), address book, contacts, and so forth. The filter may alsoidentify changes to already existing data (e.g., changes to the time orplace of a particular meeting).

In step 630, connection application 520 informs the relay server (530)of the arrival of the new data/filtered data. Upon receipt of anotification at the relay server 530 from the connection application520, a trigger is generated in step 640 for the mobile device such thata synchronization operation should take place in light of the arrival ofnew, or a change to existing, data.

In one embodiment of the present invention, the synchronizationoperation may be the result of a hybrid of SMS and IP triggers. As such,the triggering mechanism may initially be an SMS ‘wake up’ triggergenerated at step 650 by SMS center 550. After awakening mobile device540 via the delivery of an SMS-trigger in step 650, the mobile device540 may then be in a state to allow for synchronization, the need forwhich may be indicated via an IP-trigger in step 660, which may bemanaged via IP connection manager 560. The IP-trigger generated in step660 may be processed by the mobile device 540 via client-side softwareinstalled on the device 540. The synchronization operation may includean authentication operation in step 670 whereby user name, password orother access data is provided to a particular data store (510), namelythat store indicating that a synchronization operation is required orthat is otherwise reflected by a particular synchronization profile orthe manual instructions of the user. The synchronization operation maythen commence in step 680.

In another embodiment of the present invention, the relay server 530(and, in some instances, in conjunction with IP connection manager 560),may issue the IP synchronization trigger in step 660. In such anembodiment, issuance of an SMS wake up trigger (like that described instep 650) may not be necessary if an IP-connection already exists and/orthe device 540 is already ‘awake’ and configured for a synchronizationoperation. Upon issuance of the IP-trigger in step 660, authenticationto data stores may occur in step 670 and a synchronization operation maycommence in step 680.

In a still further embodiment of the present invention, the mobiledevice 540 may be configured in such a way (for example, throughclient-side software) that an SMS-synchronization trigger is issued bythe SMS center 550 in step 690 such that authentication may begin instep 670 followed by synchronization in step 680.

In some embodiments of the present invention, the user may only wish toaccess information at a particular data store (such as the storeindicating the need for synchronization due to the arrival of new or achange to existing data). For example, a user may have multipleelectronic-mail accounts but may only be interested with respect tomessages being received at a particular account (e.g., a personalaccount). Rather than have the mobile device 540 and relay server 530constantly authenticate access to a plurality of data stores 510, whichcan take time, drain battery power, and consume network bandwidth (andwhich may result in usage charges depending on a particular networkprovider), the user may instead seek access and authentication to only aparticular data store 510 or series of data stores 510.

The user may designate a particular data store 510 to be accessed priorto initiating an authentication operation or the mobile device 540 mayquery the user prior to initiating the authentication operation. Accessto particular data stores may also be reflected via a synchronizationprofile. Various user interfaces may be utilized to indicate desiredaccess to particular data stores or profile concerning access to suchstore may also be created such that authentication operations arecarried out with respect to a particular profile.

While various embodiments have been described above, it should beunderstood that they have been presented by way of example only, and notlimitation. For example, any of the elements associated with theprovisioning module may employ any of the desired functionality setforth hereinabove. Thus, the breadth and scope of an exemplaryembodiment should not be limited by any of the above-described exemplaryembodiments. Further, the disclosure of the present application shouldnot be interpreted in any adverse fashion with respect to any parentapplication from which the present application claims a prioritybenefit. The present application may expand upon or provide moreexplicit support for the scope and disclosure of any precedingapplication. Such expansion or explicit recitation in the presentapplication should not be construed as suggesting that any precedingdisclosure lacked support for the same. Further, various methodologiesdisclosed herein may be included as programs embodied on computerreadable mediums for executing the methods disclosed herein.

The invention claimed is:
 1. A system for authenticating access to oneor more data stores, comprising: a server communicatively coupled to anetwork and the one or more data stores, wherein the server isconfigured to: generate a unique identifier for a client device upon theclient device initially communicating with the server; send the uniqueidentifier to the client device so that the client device can presentthe unique identifier in a subsequent communication with the server;receive registration information from the client device; store theregistration information; associate the stored registration informationwith the unique identifier of the client device; receive via asubsequent communication with the client device a request toauthenticate the client device to access the one or more data stores,wherein the request includes the unique identifier; use the uniqueidentifier to retrieve the stored registration information that isassociated with the client device; authenticate access to the one ormore data stores on behalf of the client device using the storedregistration information, and forward information from the one or moredata stores to the client device following authentication.
 2. The systemof claim 1, wherein the one or more data stores is associated with anelectronic mail service provider.
 3. The system of claim 1, wherein theclient device is a cellular telephone.
 4. The system of claim 1, whereinthe client device is a personal digital assistant.
 5. The system ofclaim 1, wherein the client device is a personal computer.
 6. The systemof claim 1, wherein the server authenticates the client device prior tothe server authenticating access to the one or more data stores.
 7. Thesystem of claim 1, wherein the server authenticates a user of the clientdevice prior to the server authenticating access to the one or more datastores.
 8. The system of claim 6, wherein the authentication of theclient device includes the use of the unique identifier.
 9. The systemof claim 6, wherein the unique identifier is a token, the tokencomprising a unique string of data.
 10. The system of claim 7, whereinthe authentication of the user of the client device includes the use ofa user name.